1SHOREWALL-TUNNELS(5) Configuration Files SHOREWALL-TUNNELS(5)
2
3
4
6 tunnels - Shorewall VPN definition file
7
9 /etc/shorewall[6]/tunnels
10
12 The tunnels file is used to define rules for encapsulated (usually
13 encrypted) traffic to pass between the Shorewall system and a remote
14 gateway. Traffic flowing through the tunnel is handled using the normal
15 zone/policy/rule mechanism. See
16 http://www.shorewall.net/VPNBasics.html[1] for details.
17
18 The columns in the file are as follows.
19
20 TYPE -
21 {ipsec[:{noah|ah}]|ipsecnat|ipip|gre|l2tp|pptpclient|pptpserver|?COMMENT|{openvpn|openvpnclient|openvpnserver}[:{tcp|udp}][:port]|generic:protocol[:port]}
22 Types are as follows:
23
24 6to4 or 6in4 - 6to4 or 6in4 tunnel. The 6in4 synonym was added in 4.4.24.
25 ipsec - IPv4 IPSEC
26 ipsecnat - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
27 ipip - IPv4 encapsulated in IPv4 (Protocol 4)
28 gre - Generalized Routing Encapsulation (Protocol 47)
29 l2tp - Layer 2 Tunneling Protocol (UDP port 1701)
30 pptpclient - PPTP Client runs on the firewall
31 pptpserver - PPTP Server runs on the firewall
32 openvpn - OpenVPN in point-to-point mode
33 openvpnclient - OpenVPN client runs on the firewall
34 openvpnserver - OpenVPN server runs on the firewall
35 generic - Other tunnel type
36 tinc - TINC (added in Shorewall 4.6.6)
37
38 If the type is ipsec, it may be followed by :ah to indicate that
39 the Authentication Headers protocol (51) is used by the tunnel (the
40 default is :noah which means that protocol 51 is not used). NAT
41 traversal is only supported with ESP (protocol 50) so ipsecnat
42 tunnels don't allow the ah option (ipsecnat:noah may be specified
43 but is redundant).
44
45 If type is openvpn, openvpnclient or openvpnserver it may
46 optionally be followed by ":" and tcp or udp to specify the
47 protocol to be used. If not specified, udp is assumed.
48
49 If type is openvpn, openvpnclient or openvpnserver it may
50 optionally be followed by ":" and the port number used by the
51 tunnel. if no ":" and port number are included, then the default
52 port of 1194 will be used. . Where both the protocol and port are
53 specified, the protocol must be given first (e.g.,
54 openvpn:tcp:4444).
55
56 If type is generic, it must be followed by ":" and a protocol name
57 (from /etc/protocols) or a protocol number. If the protocol is tcp
58 or udp (6 or 17), then it may optionally be followed by ":" and a
59 port number.
60
61 Comments may be attached to Netfilter rules generated from entries
62 in this file through the use of /COMMENT lines. These lines begin
63 with ?COMMENT; the remainder of the line is treated as a comment
64 which is attached to subsequent rules until another ?COMMENT line
65 is found or until the end of the file is reached. To stop adding
66 comments to rules, use a line containing only ?COMMENT.
67
68 Note
69 Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
70 COMMENT and is preferred.
71
72 ZONE - zone
73 The zone of the physical interface through which tunnel traffic
74 passes. This is normally your internet zone.
75
76 GATEWAY(S) (gateway or gateways) - address-or-range [ , ... ]
77 The IP address of the remote tunnel gateway. If the remote gateway
78 has no fixed address (Road Warrior) then specify the gateway as
79 0.0.0.0/0. May be specified as a network address and if your kernel
80 and iptables include iprange match support then IP address ranges
81 are also allowed.
82
83 Beginning with Shorewall 4.5.3, a list of addresses or ranges may
84 be given. Exclusion (shorewall-exclusion[2] (5) ) is not supported.
85
86 GATEWAY ZONES (gateway_zone or gateway_zones) - [zone[,zone]...]
87 Optional. If the gateway system specified in the third column is a
88 standalone host then this column should contain a comma-separated
89 list of the names of the zones that the host might be in. This
90 column only applies to IPSEC tunnels where it enables ISAKMP
91 traffic to flow through the tunnel to the remote gateway(s).
92
94 IPv4 Example 1:
95 IPSec tunnel.
96
97 The remote gateway is 4.33.99.124 and the remote subnet is
98 192.168.9.0/24. The tunnel does not use the AH protocol
99
100 #TYPE ZONE GATEWAY
101 ipsec:noah net 4.33.99.124
102
103 IPv4 Example 2:
104 Road Warrior (LapTop that may connect from anywhere) where the "gw"
105 zone is used to represent the remote LapTop
106
107 #TYPE ZONE GATEWAY GATEWAY ZONES
108 ipsec net 0.0.0.0/0 gw
109
110 IPv4 Example 3:
111 Host 4.33.99.124 is a standalone system connected via an ipsec
112 tunnel to the firewall system. The host is in zone gw.
113
114 #TYPE ZONE GATEWAY GATEWAY ZONES
115 ipsec net 4.33.99.124 gw
116
117 IPv4 Example 4:
118 Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
119 FreeS/Wan _updown script will add the host to the appropriate zone
120 using the shorewall add command on connect and will remove the host
121 from the zone at disconnect time.
122
123 #TYPE ZONE GATEWAY GATEWAY ZONES
124 ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
125
126 IPv4 Example 5:
127 You run the Linux PPTP client on your firewall and connect to
128 server 192.0.2.221.
129
130 #TYPE ZONE GATEWAY GATEWAY ZONES
131 pptpclient net 192.0.2.221
132
133 IPv4 Example 6:
134 You run a PPTP server on your firewall.
135
136 #TYPE ZONE GATEWAY GATEWAY ZONES
137 pptpserver net 0.0.0.0/0
138
139 Example 7:
140 OPENVPN tunnel. The remote gateway is 4.33.99.124 and openvpn uses
141 port 7777.
142
143 #TYPE ZONE GATEWAY GATEWAY ZONES
144 openvpn:7777 net 4.33.99.124
145
146 IPv4 Example 8:
147 You have a tunnel that is not one of the supported types. Your
148 tunnel uses UDP port 4444. The other end of the tunnel is
149 4.3.99.124.
150
151 #TYPE ZONE GATEWAY GATEWAY ZONES
152 generic:udp:4444 net 4.3.99.124
153
154 IPv4 Example 9:
155 TINC tunnel where the remote gateways are not specified. If you
156 wish to specify a list of gateways, you can do so in the GATEWAY
157 column.
158
159 #TYPE ZONE GATEWAY GATEWAY ZONES
160 tinc net 0.0.0.0/0
161
162 IPv6 Example 1:
163 IPSec tunnel.
164
165 The remote gateway is 2001:cec792b4:1::44. The tunnel does not use
166 the AH protocol
167
168 #TYPE ZONE GATEWAY
169 ipsec:noah net 2002:cec792b4:1::44
170
171 IPv6 Example 2:
172 Road Warrior (LapTop that may connect from anywhere) where the "gw"
173 zone is used to represent the remote LapTop
174
175 #TYPE ZONE GATEWAY GATEWAY ZONES
176 ipsec net ::/0 gw
177
178 IPv6 Example 3:
179 Host 2001:cec792b4:1::44 is a standalone system connected via an
180 ipsec tunnel to the firewall system. The host is in zone gw.
181
182 #TYPE ZONE GATEWAY GATEWAY ZONES
183 ipsec net 2001:cec792b4:1::44 gw
184
185 IPv6 Example 4:
186 OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and
187 openvpn uses port 7777.
188
189 #TYPE ZONE GATEWAY GATEWAY ZONES
190 openvpn:7777 net 2001:cec792b4:1::44
191
192 IPv6 Example 8:
193 You have a tunnel that is not one of the supported types. Your
194 tunnel uses UDP port 4444. The other end of the tunnel is
195 2001:cec792b4:1::44.
196
197 #TYPE ZONE GATEWAY GATEWAY ZONES
198 generic:udp:4444 net 2001:cec792b4:1::44
199
200 IPv6 Example 9:
201 TINC tunnel where the remote gateways are not specified. If you
202 wish to specify a list of gateways, you can do so in the GATEWAY
203 column.
204
205 #TYPE ZONE GATEWAY GATEWAY ZONES
206 tinc net ::/0
207
209 /etc/shorewall/tunnels
210
211 /etc/shorewall6/tunnels
212
214 http://www.shorewall.net/configuration_file_basics.htm#Pairs[3]
215
216 shorewall(8)
217
219 1. http://www.shorewall.net/VPNBasics.html
220 https://shorewall.org/VPNBasics.html
221
222 2. shorewall-exclusion
223 https://shorewall.org/manpages/shorewall-exclusion.html
224
225 3. http://www.shorewall.net/configuration_file_basics.htm#Pairs
226 https://shorewall.org/configuration_file_basics.htm#Pairs
227
228
229
230Configuration Files 01/15/2020 SHOREWALL-TUNNELS(5)